Natural Grocers Investigates Possible Card Breach

Sources within the financial industry speculate they have traced a pattern of fraudulent charges on credit and debit cards back to customers from Natural Grocers, suggesting hackers breached the point-of-sale system at registers across the nation.

Natural Grocers said in a statement Monday, the company recently learned of “a potential data security incident involving an unauthorized intrusion targeting limited customer payment card data.” The Grocer emphasized that it “has received no reports of any fraudulent use of payment cards from any customer, credit card brand or financial institution.”

While questioned on the breach by investigator Brian Krebs, who was notified of the possible Natural Grocers breach said Lakewood, Colorado-based Grocer said it has hired a third-party data forensics firm, alongside law enforcement, to help investigate the matter.

“In addition, there is no evidence that PIN numbers or card verification codes were accessed,” the company’s statement released Tuesday continued. “Finally, no personally identifiable information, such as names, addresses or Social Security numbers, was involved, as the company does not collect that data as part of its payment processing system.”

Financial institutions may not be reporting fraud to Natural Grocers, but sources within the industry told Krebs about a pattern of card fraud indicated cards stolen from the retailer are already on sale in the underground. Meaning hackers may have stole the magnetic strip data from cards and re-encoded blank cards. Allowing criminals to make fraudulent charges in big box retailers.

Hackers allegedly breached Natural Grocers just before Christmas 2014, gaining access by attacking a vulnerability within the company’s database servers. From there, attackers were able to breach Natural Grocers internal network, and began infecting point-of-sale systems with card stealing malware.

During the ongoing investigation, Natural Grocers said the company has pushed forward plans to upgrade the company’s point-of-sale systems with new PCI-compliant systems in all stores. New systems will provide point-to-point encryption, and new PIN pads that accept secure “chip and PIN” cards.

“These upgrades provide multiple layers of protection for cardholder data,” Natural Grocers public statement concludes. “The company is in the process of installing this new system at all 93 Natural Grocers stores in 15 states. We are committed to protecting our customers’ information and data security. This is all the information the company is able to provide at this time, as the investigation into the incident is ongoing.”